After a brief hiatus, it seems Zoom has come on the radar of security researchers again. Recently, a critical vulnerability affecting Zoom surfaced online that leaked sensitive data about Zoom Meetings. Fortunately, the flaw received a fix before an exploit.
Zoom Vulnerability Leaked Meetings Data
Reportedly, security firm Gais Security caught a critical vulnerability affecting Zoom platform. Exploiting the vulnerability could result in leakage of sensitive data about Zoom Meetings. The researchers have shared a detailed vulnerability report regarding these findings.
As revealed, the researchers caught a sensitive Insecure Direct Object Reference (IDOR) vulnerability that could lead to data exposure.
Briefly, they found that anyone could extract the random ID numbers in ‘Other Meetings’ or ‘Personal Meetings’ category by fuzzing.
In case of Other Meetings, anyone could access the UserID of the user creating the meeting, the meeting endpoint, details, and the subject parts of the meeting.
Whereas, in case of Personal Meetings, the researchers found an absence of mandatory password usage. Consequently, it exposed sensitive data. As stated by the researchers,
As a result of fuzzing “Personal Meeting” numbers produced with random numbers between 9 and 11 digits, it was determined that the passwords of the future meeting records, in which users are assigned as “Schedule Meeting” were accessed. In brute force attacks on meeting id values at the relevant address, meeting information and password information for hundred thousands of personal and corporate accounts were accessed.
Zoom Patched The Flaw
Upon finding the vulnerability, the researchers reached out to Zoom to inform them of the flaw.
Following their report, the vendors fixed the bug by applying numerous patches. As explained by Gais, the fixes include assigning passwords to the ‘Personal Meeting’ ID number, mandatory password assignment to create ‘Schedule Meeting’, necessary approval from the moderator on incoming users joining the meeting, and hiding the sensitive data on web app.
Besides introducing the fixes, Zoom also awarded the researchers with a $1000 bounty for their discovery.
Let us know your thoughts in the comments.